Abstract
AbstractThis research examines the prediction of cyber security threats by combining knowledge sharing models with ensemble machine learning techniques. It demonstrates how cyber threat intelligence can be used to construct models of both attackers and defending systems, then apply these to the problem of predicting how the latter might be prone to the former. The ‘main plank’ of the research is divided into three parts:
1) A new domain specific language for modelling the defending system and its properties, within the same information environment as intelligence that describes the tactics, tech- niques and procedures of malicious actors.
2) A new event processing method that encompasses discrete and ensemble classification algorithms to estimate the presence of threats within a system, by comparing observed events to threat actor activities learned from real intelligence material.
3) A new biologically-inspired technique that applies principles from genomics to evalu- ate the security of synthetic systems. This ‘artificial genome’ models both the benign (defending) and malign (attacking) systems. The scheme includes a propensity test that evaluates the benign system’s proneness to potential, malign attack vectors.
The approach introduces new approaches to knowledge representation, computational in- ference and machine learning in the exploitation of intelligence for threat prediction. It is dis- tinguished by modelling both the benign and malign systems within the same decision space - conventional threat intelligence focuses on the latter, meaning its use in practice requires po- tentially extensive human effort. The research’s findings are proposed as extensions to the (open source) Structured Threat Information Expression standard, but complimentary to other programmes such as the Common Attack Pattern Enumerations and Classifications and the Vo- cabulary for Event Recording and Incident Sharing. The work was tested experimentally by constructing domain models of representative systems and reasoning over them. When applied to The MITRE Corporation’s Adversary Tactics, Techniques and Common Knowledge dataset under laboratory conditions, the processing methods shows promising results in detecting mali- cious actors - yielding prediction accuracy up to the 92nd percentile for some organisational data and the 89th percentile for some events. The artificial genome technique was further applied to the detection of attack vectors within complex software-heavy systems and was able to draw new inferences about the organisations targeted by specific threat actors.
Date of Award | 16 Jan 2025 |
---|---|
Original language | English |
Awarding Institution |
|
Supervisor | Alaa Mohasseb (Supervisor), Alexander Gegov (Supervisor) & Benjamin Aziz (Supervisor) |